Initial commit from source repository

SCT-Engineering · Jun 26, 2025 · 5f40497 · 5f40497
1 parent c71e23f
commit 5f40497
Show file tree

Hide file tree

Showing 75 changed files with 4,650 additions and 0 deletions.
diff --git a/_envcommon/common-variables.hcl b/_envcommon/common-variables.hcl
@@ -0,0 +1,23 @@
+# lab/_envcommon/common-variables.hcl
+
+# ---------------------------------------------------------------------------------------------------------------------
+# GLOBAL PARAMETERS
+# These are the variables we pass to use across modules regardless of environment, i.e. these are the parameters 
+# that are common across all environments/accounts.
+# ---------------------------------------------------------------------------------------------------------------------
+locals {
+  organization        = "census:ocio:csvd"
+  project_name        = "csvd_platformbaseline"
+  project_number      = "fs0000000078"
+  project_role        = "csvd_platformbaseline_app"
+  state_bucket_prefix = "inf-tfstate"
+  state_table_name    = "tf_remote_state"
+  route53_endpoints = {
+    route53_main = {
+      "account_id"    = "269244441389"
+      "alias"         = "lab-gov-network-nonprod"
+      "us-gov-east-1" = "vpc-070595c5b133243dd"
+      "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1"
+    }
+  }
+}
diff --git a/_envcommon/default-versions.hcl b/_envcommon/default-versions.hcl
@@ -0,0 +1,145 @@
+# lab/_envcommon/default-versions.hcl
+
+locals {
+  #####################
+  # Module Versions
+  #####################
+  cluster_version            = "1.31"
+  custom_service_eks_account = "${local.release_version}"
+  eks_module_version         = "20.33.1"
+  istio_ingress_version      = "${local.release_version}"
+  release_version            = "main" # "main" # change to main when testing updated modules
+
+  #####################
+  # TF Providers
+  #####################
+  aws_version        = "5.84.0"
+  helm_version       = "2.11.0"
+  kubernetes_version = "2.33.0"
+  null_version       = "3.2.1"
+  random_version     = "3.5.1"
+  template_version   = "2.2.0"
+  tf_version         = "1.5.5"
+
+  #####################
+  # Namespaces Config
+  #####################
+  operator_namespace  = "aoperator"
+  telemetry_namespace = "atelemetry"
+  namespaces = {
+    cert-manager   = "kube-system"
+    karpenter      = "karpenter"
+    metrics-server = "kube-system"
+    postgresql     = "kube-system"
+    keycloak       = "keycloak"
+    gogatekeeper   = "kube-system"
+    istio          = "istio-system"
+    kiali          = "istio-system"
+    grafana        = local.telemetry_namespace
+    k8s-dashboard  = local.telemetry_namespace
+    loki           = local.telemetry_namespace
+    otel           = local.telemetry_namespace
+    prometheus     = local.telemetry_namespace
+    tempo          = local.telemetry_namespace
+  }
+
+  #####################
+  # EKS Config
+  #####################
+
+  ################
+  # Cert-Manager
+  ################
+  cluster_issuer_name              = "cert-manager"
+  cert_manager_cainjector_tag      = "v${local.cert_manager_version}"
+  cert_manager_controller_tag      = "v${local.cert_manager_version}"
+  cert_manager_helm_chart          = "${local.cert_manager_version}"
+  cert_manager_startupapicheck_tag = "v${local.cert_manager_version}"
+  cert_manager_version             = "1.17.1"
+  cert_manager_webhook_tag         = "v${local.cert_manager_version}"
+
+  ################
+  # GoGatekeeper
+  ################
+  gogatekeeper_tag           = "3.2.1"
+  gogatekeeper_chart_version = "0.1.53"
+
+  ################
+  # Grafana
+  ################
+  grafana_hostname               = "grafana"
+  grafana_operator_chart_version = "4.9.8"
+  grafana_operator_tag           = "5.16.0"
+  grafana_tag                    = "11.5.2"
+  os_shell_image_tag             = "12"
+
+  ################
+  # Istio
+  ################
+  istio_namespace = "istio-system"
+  istio_version   = "1.25.0"
+
+  ################
+  # k8s-dashboard
+  ################
+  dashboard_hostname            = "dashboard"
+  k8s_dashboard_metrics_scraper = "1.0.8"
+  k8s_dashboard_version         = "6.0.6"
+
+  ################
+  # Karpenter
+  ################
+  karpenter_helm_chart = "1.3.1"
+  karpenter_tag        = "1.3.1"
+
+  ################
+  # Keycloak
+  ################
+  keycloak_chart_version = "24.4.11"
+  keycloak_tag           = "26.1.3"
+  keycloak_hostname      = "keycloak"
+  keycloak_database      = "keycloak"
+  keycloak_username      = "keycloak"
+  keycloak_password      = "this is my very secure and totally random password horse battery staple now"
+  postgresql_tag         = "17.4.0-debian-12-r2"
+
+  ################
+  # Kiali
+  ################
+  kiali_operator_version    = "2.2.0"
+  kiali_application_version = "v${local.kiali_operator_version}"
+
+  ################
+  # Loki
+  ################
+  loki_chart_version              = "6.27.0"
+  loki_tag                        = "3.4.2"
+  enterprise_logs_provisioner_tag = "v1.7.0"
+  gateway_tag                     = "1.27-alpine"
+  memcached_tag                   = "1.6.37"
+  exporter_tag                    = "v0.15.0"
+  sidecar_tag                     = "1.27.4"
+
+  ################
+  # Metrics Server
+  ################
+  metrics_server_helm_chart = "3.12.2"
+  metrics_server_tag        = "0.7.2"
+
+  ################
+  # Prometheus
+  ################
+  prometheus_chart_version       = "27.5.1"
+  prometheus_server_tag          = "v3.2.1"
+  prometheus_config_reloader_tag = "v0.75.2"
+  alertmanager_tag               = "v0.28.0"
+  kube_state_metrics_tag         = "v2.15.0"
+  node_exporter_tag              = "v1.9.0"
+  pushgateway_tag                = "v1.11.0"
+
+  ################
+  # Tempo
+  ################
+  tempo_chart_version = "1.18.2"
+  tempo_tag           = "2.7.1"
+}
diff --git a/development/account.hcl b/development/account.hcl
@@ -0,0 +1,13 @@
+# lab/development/account.hcl
+
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration. Terragrunt often segments account and environment, but given our strategy is to 
+# leverage accounts as environment boundaries, there is an anticipated 1:1 account to environment model that 
+# combines these here. 
+locals {
+  account_name     = "lab-dev-ew"
+  aws_account_id   = "224384469011"
+  aws_profile      = "224384469011-lab-dev-gov"
+  environment      = "development"
+  environment_abbr = "dev"
+}
diff --git a/development/us-gov-east-1/region.hcl b/development/us-gov-east-1/region.hcl
@@ -0,0 +1,7 @@
+# lab/development/us-gov-east-1/region.hcl
+
+# Set common variables for the region. This is automatically pulled in in the root terragrunt.hcl configuration to
+# configure the remote state bucket and pass forward to the child modules as inputs.
+locals {
+  aws_region = "us-gov-east-1"
+}
diff --git a/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl b/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl
@@ -0,0 +1,28 @@
+locals {
+  # Cluster specific configuration
+  cluster_endpoint_public_access           = true
+  cluster_name                             = "platform-eng-eks-mcm"
+  cluster_mailing_list                     = "matthew.c.morgan@census.gov"
+  eks_instance_disk_size                   = 100
+  eks_ng_desired_size                      = 2
+  eks_ng_max_size                          = 10
+  eks_ng_min_size                          = 2
+  enable_cluster_creator_admin_permissions = true
+  tags = {
+    "slim:schedule" = "8:00-17:00"
+    "cluster:size"  = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}"
+  }
+
+  # Common configuration
+  common_retry_args = {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20m"]
+  }
+
+  common_dependencies = ["../eks", "../eks-config"]
+
+  common_mock_eks = {
+    cluster_name      = "mock-cluster"
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
diff --git a/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl b/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl
@@ -0,0 +1,58 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}"
+
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-config",
+    "../eks-karpenter",
+    "../eks-metrics-server",
+  ]
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+  mock_outputs = {
+    cluster_name      = include.root.inputs.cluster_name
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+    cluster_endpoint  = "https://mock-endpoint.eks.amazonaws.com"
+    cluster_version   = include.root.inputs.cluster_version
+  }
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_name         = dependency.eks.outputs.cluster_name
+  cluster_mailing_list = include.root.inputs.cluster_mailing_list
+  oidc_provider_arn    = dependency.eks.outputs.oidc_provider_arn
+
+  # Cert Manager Configuration
+  cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart
+  cluster_issuer_name     = include.root.inputs.cluster_issuer_name
+  namespace               = include.root.inputs.namespaces["cert-manager"]
+
+  # Version Tags
+  cert_manager_cainjector_tag      = include.root.inputs.cert_manager_cainjector_tag
+  cert_manager_controller_tag      = include.root.inputs.cert_manager_controller_tag
+  cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag
+  cert_manager_webhook_tag         = include.root.inputs.cert_manager_webhook_tag
+}
diff --git a/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl b/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl
@@ -0,0 +1,55 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-karpenter",
+    "../eks-metrics-server",
+  ]
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}"
+
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+  mock_outputs = {
+    cluster_name                                    = "mock-cluster"
+    cluster_endpoint                                = "https://mock-endpoint.eks.amazonaws.com"
+    cluster_certificate_authority_data              = [{ data = "mock-cert-data" }]
+    eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"]
+    oidc_provider_arn                               = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+    security_group_all_worker_mgmt_id               = "sg-mock"
+    subnets                                         = ["subnet-mock1", "subnet-mock2"]
+    vpc_id                                          = "vpc-mock"
+  }
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Core Cluster Configuration
+  cluster_name                                    = dependency.eks.outputs.cluster_name
+  eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names
+  oidc_provider_arn                               = dependency.eks.outputs.oidc_provider_arn
+  security_group_all_worker_mgmt_id               = dependency.eks.outputs.security_group_all_worker_mgmt_id
+  subnets                                         = dependency.eks.outputs.subnets
+  vpc_id                                          = dependency.eks.outputs.vpc_id
+  operators_ns                                    = include.root.inputs.operator_namespace
+  telemetry_ns                                    = include.root.inputs.telemetry_namespace
+}
diff --git a/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl b/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl
@@ -0,0 +1,60 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name = include.root.inputs.cluster_name
+    subnets      = ["subnet-mock1", "subnet-mock2", "subnet-mock3"]
+  }
+}
+
+dependency "eks-istio" {
+  config_path                             = "../eks-istio"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    istio_ingress_lb = {
+      dns_name = "mock-${include.root.inputs.cluster_name}.elb.amazonaws.com"
+      zone_id  = "MOCKZONEID"
+    }
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-istio",
+    "../eks-metrics-server",
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_name = include.root.inputs.cluster_name
+
+  # Network Configuration
+  istio_ingress_lb  = dependency.eks-istio.outputs.istio_ingress_lb
+  route53_endpoints = include.root.inputs.route53_endpoints
+  vpc_domain_name   = include.root.inputs.vpc_domain_name
+  vpc_name          = include.root.inputs.vpc_name
+
+  # Additional Configuration
+  tags = include.root.inputs.tags
+}